httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45393] New: Apache returns 500 Error when no LDAP credentials are supplied
Date Mon, 14 Jul 2008 18:07:37 GMT

           Summary: Apache returns 500 Error when no LDAP credentials are
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap

There seems to be an issue on Windows Apache 2.2.9 when compiled against the
MSSDK for LDAP. When a user accesses a authenticated resource and is prompted
for credentials, if they do not enter a username and password and instead hit
ok at the prompt, Apache returns a 500 error due to a filter error.

Excerpt from the Error Log:
[Mon Jul 14 11:16:04 2008] [debug] mod_headers.c(711): headers:
[Mon Jul 14 11:16:08 2008] [debug] mod_authnz_ldap.c(377): [client] [6488] auth_ldap authenticate: using URL
referer: http://server:10080/app/
[Mon Jul 14 11:16:08 2008] [warn] [client] [6488] auth_ldap
authenticate: user  authentication failed; URI /app/servlet/Navigation
[ldap_search_ext_s() for user failed][Filter Error], referer:

Taken from the Access Log: - - [14/Jul/2008:11:16:08 -0500] "GET
/PDMPJL91/servlet/Navigation HTTP/1.1" 500 487 15625

I was slightly curious about this so I recompiled with a few lines of "random"
debugging to see what statements where firing and what some variables were
being set to in mod_authnz_ldap.c and util_ldap.c.

In mod_authnz_ldap.c's function static void authn_ldap_build_filter(...):
I added a logging statement in the 
if (sent_user != NULL) {
        user = apr_pstrdup (r->pool, sent_user);
to see what the user was being set to in the event this statement was
executing. Ther user was logged as "user=[]" and is clearly not NULL which I
expected since in fact the if(sent_user != NULL) was executing. I originally
didn't expect this statement to execute at all.

The filter eventually gets created by:
        filter = sec->filter;

and is set to the "objectclass=*" (my logs kick out filter=[objectclass=*]).
>From a quick glance that appears to be a valid filter for the MS
ldap_search_ext_s API.

Then when authn_ldap_check_password function gets executed I originally
expected the request to error out on the password=NULL and/or the username=NULL
check, however, these did not execute. I guess that means the empty user/pass
is an empty string as opposed to NULL.

In util_ldap.c the statement:
result = ldap_search_ext_s(ldc->ldap,
                               (char *)basedn, scope,
                               (char *)filter, attrs, 0,
                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);

in results error code being Filter Error from the logs.

For sanity sake, I tested with Firefox and IE to rule out any odd IE quirk. 

Is this an Apache issue not handling the blank user/pass credentials properly?

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message